Vulnerability
3COM's software for HiperARC
Affected
Systems using 3COM's software for HiperARC
Description
Entropy found following. The software that 3com has developed for
running the HiperARC is a bit shady. You will notice a login
account called "adm" with no password. Naturally no one wants
the "adm" login there, so they delete it from the configuration,
and go on programming the box. Once the box has been programmed
and is ready to take calls, it is necessary to save all settings,
and hardware reset the box, at this point the box is fully
configured, and ready to take calls. The problem is this, the
"adm" login requiring no password, is still there after the
hardware reset!!! It cannot be deleted!
The admin that programmed the box has no reason to go back into
the configuration after doing the hardware reset, he has already
gone over and double checked his settings, they all looked good,
and hardware reset has gone into action as the last step.., he has
no clue that the "adm" he has deleted is still there, and active.
Solution
In order to stop the "adm" login one can only dis-able the "adm"
login, not delete it....this is the only way to stop the login.
The 'adm' user is no different than the manage user on the older
Netserver product. Both are clearly described in the release
notes that they come with no password set. This information is
posted on the Totalservice along with the 4.1.11 code:
ftp://totalservice.usr.com/pub/.docs/config.txt
The difference on the newer HARC cards is that you can add more
manage users and disable the adm if so desired. The fact that
people don't read documentation when they install new software is
the cause of this problem. The latest release of code 4.1.72-7
(located on the Totalservice web site) has the ability to delete
the "adm" user and it will not come back after a reboot.